Bob Lord reports that NSS (Network Security Services), the crypto library that powers software such as Firefox, Thunderbird, Open Office, and Fedora directory server, has recently been FIPS 140-2 level 2 validated by NIST. This is an important milestone because NSS is the only open source crypto library that is validated to level 2 (the highest available certification for software). Level 1 allows use in a single user environment, while level 2 allows a multi-user environment: and that not inconsiderable detail allows NSS based software to be deployed into security sensitive environments that resemble the commonly used configuration for modern operating systems.

This is also an important milestone because it means that software applications that use the NSS library for crypto while also following the security policy of the validation are also legitimately able to claim compliance. The reason for that is that NSS draws the crypto boundary behind its APIs and no private keys are accessible to applications. This means that a whole bunch of software just became usable in an ever increasing number of environments requiring FIPS 140-2 level 2 validation.

Congratulations to the NSS team.